Re: chkrootkit and linux 2.6

To: Miek Gieben <miekg@atoom.net>
Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: Re: chkrootkit and linux 2.6
From: David Ehle <ehle@agni.phys.iit.edu>
Date: Tue, 2 Dec 2003 13:56:19 -0600 (CST)
Message-id: <[🔎] Pine.LNX.4.44.0312021353490.1835-100000@agni.phys.iit.edu>
In-reply-to: <[🔎] 20031202173231.GA11329@atoom.net>

Right now chkrootkit gets lots of false positives regarding LKMs.  There
was a pretty thorough discussion just a couple days ago so look through
the archive for the details:
http://lists.debian.org/debian-security/

So, its _probably_ a false alarm, but ....

--
David Ehle
Computing Systems Manager
CAPP CSRRI
rm 077
LS Bld. IIT Main Campus
Chicago IL 60616
ehle@iit.edu
312-567-3751


On Tue, 2 Dec 2003, Miek Gieben wrote:

> Hello,
>
> When reading again about the (Debian) breakin, it said you should run chkrootkit
> to see if you have a rootkit installed. Well I did. But now it is complaining
> about a LKM rootkit. But i'm running a 2.6 kernel, is this still valid then?
>
> I've checked the md5sums of some commands (ps, kill, ...) and they are equal
> to the ones I just downloaded from a debian archive.
>
> I'm not subscribe to the list - so please cc me,
>
> thanks,
>
> grtz
>       Miek
> --
> Serenity now!
> -- Frank Costanza (Seinfeld)
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

Reply to:

Follow-Ups:
- Re: chkrootkit and linux 2.6
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: chkrootkit and linux 2.6
  - From: Miek Gieben <miekg@atoom.net>

References:
- chkrootkit and linux 2.6
  - From: Miek Gieben <miekg@atoom.net>

Prev by Date: Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
Next by Date: Re: [SECURITY] [DSA-403-1] userland can access Linux kernel memory
Previous by thread: chkrootkit and linux 2.6
Next by thread: Re: chkrootkit and linux 2.6
Index(es):
- Date
- Thread